I’ve covered issues surrounding the General Data Protection Regulation already, but as promised, here’s a second opinion from an expert on the subject, Catherine Roberts of Know Your Compliance. She says that the Can We Continue to Email Everyone in our Database article here would be the common sense way to approach direct marketing after May 25th 2018. Unfortunately, Catherine continues, common sense and regulations seldom go hand in hand!
The General Data Protection Regulation (GDPR) and how it relates to direct marketing by electronic means (i.e. email, text, automated calls etc) is a highly debated area, with thousands of organisations poised over their marketing databases wondering whether it is business as usual or if they need to delete large portions of their contact lists.
So why has so much confusion come about? To begin with, many people have read the GDPR in isolation of any other guidance or legislation, resulting in misunderstandings and confusion. However, even when read together, there are still gaps that are often filled with opinions and sometimes, guesswork.
To ensure that the GDPR reference to direct marketing and how this relates to personal data is read and implemented compliantly, it is essential to read the GDPR in conjunction with The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This Regulation enforces the direct marketing rules, which will continue to be the case after May 25th, 2018, and until the new ePrivacy Regulation comes into force (date yet to be confirmed).
The GDPR relates to the processing of personal data and defines what personal data is. It refers to marketing by advising that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” and noting that individuals have the right to object to direct marketing.
The PECR provides the rules on sending marketing and advertising by electronic means and states the type of data that is covered by the Regulation and how this can be used in marketing. The PECR states that where direct marketing involves the processing of personal data, the data protection laws must also be complied with.
Personal Data vs B2B
With the introduction of the GDPR and the requirement to ensure that we have a valid ‘legal basis’ for processing any personal data, confusion has now spread about how this ties in with the PECR; especially given that the PECR does not cover ‘corporate subscribers’. However, if the corporate details identify a person (i.e. firstname.lastname@example.org), they do come under the scope of the GDPR.
To get to the bottom of what to do with our existing marketing lists and how to proceed going forward, it is important to recap on what is covered by the PECR and GDPR in terms of data.
The GDPR covers any ‘personal data’ which identifies (directly or indirectly) an individual. For the purposes of direct marketing by electronic means (text, email, automated calls etc), this includes personal contact details and email addresses and corporate contact details and email addresses if the employee can be identified. So email@example.com would be in the scope of the GDPR, but firstname.lastname@example.org would not be.
The PECR only covers ‘individual subscribers’, which includes sole traders and some partnerships, but clearly states that “the rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies”.
So, any personal individual contacts on our marketing lists come under the scope of the GDPR and the PECR, whilst identifiable corporate subscribers only come under the scope of the GDPR.
|Type of Subscriber||Individual Subscriber||Corporate Subscriber||Corporate Subscriber|
|Example of Subscriberemail@example.comfirstname.lastname@example.orgemail@example.com|
|Which Regulation Applies||GDPR & PECR||GDPR Only||Neither|
Consent, Legitimate Interests and Marketing
Now that we know what type of contact details and email address are covered by which Regulation, we should be able to determine how we can use our marketing lists and what requirements apply to the contacts on them. It should be said that there are still many differing opinions in this area, with my personal opinion being noted in this article, which is based on the PECR and GDPR content, coupled with the ICO’s guidance on direct marketing, business-business marketing with the GDPR and PECR.
When sending direct marketing to individuals, we will need to have both a ‘legal basis’ under the GDPR and comply with either the ‘consent’ or ‘soft opt-in’ rule under the PECR. For employee corporate contacts, it is just a GDPR ‘legal basis’ that must be identified.
The rules under the PECR work very well with the GDPR’s legal basis, so we won’t usually need to take two different actions to gain opt-in to marketing databases.
Where the contact is under the scope of both regulations (an individual), the PECR requires consent to send direct marketing by electronic means. Consent should be obtained using a GDPR compliant mechanism (affirmative action, unticked opt-in etc); and the documented GDPR legal basis will also be consent.
The only exception to obtaining the above marketing consent under the PECR is the ‘soft opt-in’ rule that relates to customers. When an individual’s contact details are obtained in the course of a sale (or negotiations for a sale) of a product or service, we do not need their consent to send direct marketing by electronic means, providing these conditions are met:
- The details we obtained in the course of a sale (negotiations for a sale) of a product or service;
- The messages relate only to marketing of similar products or services; and
- The person has the option to refuse the marketing when they provide their details and can opt-out/unsubscribe in all future messages
In the above circumstances, we can rely on legitimate interests as our legal basis under the GDPR for processing the personal data.
The PECR’s rules on consent and soft opt-in do not apply to electronic marketing messages sent to ‘corporate subscribers’; however, the GDPR does apply where the contact details identify an individual (i.e. firstname.lastname@example.org). So we will still need to identify and record the most appropriate legal basis for processing such data.
The most appropriate legal basis is likely to be legitimate interests for business contacts, but we will still need to evidence that we have assessed and balanced the interests of the contacts in any marketing list and that the processing is something that the contact would expect to receive and is not intrusive. This includes ensuring that the person is given the chance to opt-out of marketing when they provide their details and in all future marketing messages.
Remember that the GDPR’s Article 21 gives individuals the right to object to processing of their personal data for the purposes of direct marketing. We should inform them of this right in our privacy notices and be aware that where the individual raises such an objection, this overrides our legitimate interests and we must stop processing their data for direct marketing purposes.
Where the PECR does not apply (corporate subscribers), but the GDPR does, and through balancing and necessity tests we cannot (or are unsure if you can) rely on legitimate interests as your legal basis for marketing, we can obtain consent from the person to send them direct marketing. Such consent must comply with the GDPR requirements and be an affirmative action.
Reviewing Existing Marketing Databases
Now that you know what type of marketing contacts/subscribers are in the scope of the GDPR and/or PECR, you can review your existing marketing database to see if you meet the GDPR requirements or where any further actions may be necessary.
For any individual contact details and emails used for direct marketing by electronic means, you should already be using a valid consent or soft opt-in as the PECR is not new and this is a legal requirement.
- If you have a valid soft opt-in, you can rely on legitimate interests under the GDPR to continue marketing, ensuring that all marketing continues to offer an unsubscribe option and any objections to processing are actioned.
- If you have obtained consent under the PECR, you will now need to ensure that this consent is GDPR compliant (this is where the re-obtaining consent requirement by the ICO comes in). The GDPR advises that all consent must be GDPR compliant, not just those obtained after May 25th. If you previously used pre-ticked consent boxes or cannot evidence when and how consent was obtained, you will need to reobtain a GDPR compliant consent to carry on marketing.
For employee corporate contact details where the PECR does not apply but the GDPR does, you may not already have consent or a soft opt-in as they are not required under the PECR. So, you will now need to identify the most appropriate GDPR legal basis for processing these details.
As noted in the previous section, this will either be consent to market or direct marketing as a legitimate interest; the latter being applicable to most B2B contacts and requiring a balancing and necessity test to ensure the interests of the contact are considered and weighed. If you decide not to use legitimate interests, you will need to obtain a GDPR compliant consent to market to such contacts.
An important point to note is the ICO’s guidance that legitimate interests cannot simply be relied upon because the sender believes that the marketing is in the interests of individuals (i.e. vouchers, offers etc). They recommend “focusing on your own interests to avoid undue focus on presumed benefits to customers unless you have very clear evidence of their preferences”.
To summarise, any individual customers on your marketing lists to whom you send similar products and services, will be on your list as a ‘soft opt-in’ and therefore quality for processing under the GDPR as a legitimate interest. Corporate contacts who can be identified will also most likely be sent direct marketing as a legitimate interest in most cases.
It is therefore only individual, non-customer contacts of your list to whom consent applies and you should already have consent in place to send direct marketing to these as it is a PECR requirement. You will only need to re-obtain consent where the originally obtained consent is not GDPR compliant. It is therefore likely that most of your direct marketing will be done under the legitimate interest legal basis and the ‘myth’ that all marketing contacts have to be contacted for new consent or be deleted is far fetched and out of context.
The Regulation itself is the obvious place to start obtaining information about the GDPR and the areas where documentation and measures are required. However, as the direct marketing requirements are not definitive under the GDPR and require the inclusion of the PECR, the ICO’s marketing guidance can prove very useful.